Add an option to pass secrets to Nova MacOS job (#4626)

This allows passing secrets from the caller to the sharable workflow. Linux job has it, but this feature is not available on MacOS job. ### Testing https://github.com/pytorch/test-infra/actions/runs/6475743356
pytorch · Oct 10, 2023 · 16c30a2 · 16c30a2
1 parent f851855
commit 16c30a2
Show file tree

Hide file tree

Showing 7 changed files with 144 additions and 99 deletions.
diff --git a/.github/scripts/run_docker_with_env_secrets.py b/.github/scripts/run_docker_with_env_secrets.py
diff --git a/.github/scripts/run_with_env_secrets.py b/.github/scripts/run_with_env_secrets.py
@@ -0,0 +1,100 @@
+import json
+import os
+import re
+import shutil
+import subprocess
+import sys
+
+
+def run_cmd_or_die(cmd):
+    print(f"Running command: {cmd}")
+    p = subprocess.Popen(
+        "/bin/bash",
+        stdout=subprocess.PIPE,
+        stdin=subprocess.PIPE,
+        stderr=subprocess.STDOUT,
+        bufsize=1,
+        universal_newlines=True,
+    )
+    p.stdin.write("set -e\n")
+    p.stdin.write(cmd)
+    p.stdin.write("\nexit $?\n")
+    p.stdin.close()
+
+    result = ""
+    while p.poll() is None:
+        line = p.stdout.readline()
+        if line:
+            print(line, end="")
+        result += line
+
+    # Read any remaining output
+    for line in p.stdout:
+        print(line, end="")
+        result += line
+
+    exit_code = p.returncode
+    if exit_code != 0:
+        raise RuntimeError(f"Command {cmd} failed with exit code {exit_code}")
+    return result
+
+
+def main():
+    all_secrets = json.loads(os.environ["ALL_SECRETS"])
+    secrets_names = [x for x in sys.argv[1].split(" ") if x]
+    if not secrets_names:
+        secrets_names = all_secrets.keys()
+    secrets_u_names = [
+        re.sub(r"[^a-zA-Z0-9_]", "", f"SECRET_{x.upper()}".replace("-", "_"))
+        for x in secrets_names
+    ]
+
+    for sname, senv in zip(secrets_names, secrets_u_names):
+        try:
+            os.environ[senv] = str(all_secrets.get(sname, ""))
+        except KeyError as e:
+            print(f"Could not set {senv} from secret {sname}: {e}")
+
+    docker_path = shutil.which("docker")
+    if not docker_path:
+        run_cmd_or_die(f"bash { os.environ.get('RUNNER_TEMP', '') }/exec_script")
+    else:
+        container_name = (
+            run_cmd_or_die(
+                f"""
+        docker run \
+            -e PR_NUMBER \
+            -e RUNNER_ARTIFACT_DIR=/artifacts \
+            -e RUNNER_DOCS_DIR=/docs \
+            -e RUNNER_TEST_RESULTS_DIR=/test-results \
+            --env-file="{ os.environ.get('RUNNER_TEMP', '') }/github_env_{ os.environ.get('GITHUB_RUN_ID', '') }" \
+            `# It is unknown why the container sees a different value for this.` \
+            -e GITHUB_STEP_SUMMARY \
+            { ' '.join([ f'-e {v}' for v in secrets_u_names ]) } \
+            --cap-add=SYS_PTRACE \
+            --detach \
+            --ipc=host \
+            --security-opt seccomp=unconfined \
+            --shm-size=2g \
+            --tty \
+            --ulimit stack=10485760:83886080 \
+            { os.environ.get('GPU_FLAG', '') } \
+            -v "{ os.environ.get('GITHUB_WORKSPACE', '') }/{ os.environ.get('REPOSITORY', '') }:/{ os.environ.get('REPOSITORY', 'work') }" \
+            -v "{ os.environ.get('GITHUB_WORKSPACE', '') }/test-infra:/test-infra" \
+            -v "{ os.environ.get('RUNNER_ARTIFACT_DIR', '') }:/artifacts" \
+            -v "{ os.environ.get('RUNNER_DOCS_DIR', '') }:/docs" \
+            -v "{ os.environ.get('RUNNER_TEST_RESULTS_DIR', '') }:/test-results" \
+            -v "{ os.environ.get('RUNNER_TEMP', '') }/exec_script:/exec" \
+            -v "{ os.environ.get('GITHUB_STEP_SUMMARY', '') }":"{ os.environ.get('GITHUB_STEP_SUMMARY', '') }" \
+            -w /{ os.environ.get('REPOSITORY', 'work') } \
+            "{ os.environ.get('DOCKER_IMAGE', '') }"
+        """  # noqa: E501
+            )
+            .replace("\n", "")
+            .strip()
+        )
+        run_cmd_or_die(f"docker exec -t {container_name} /exec")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/.github/workflows/linux_job.yml b/.github/workflows/linux_job.yml
@@ -208,7 +208,7 @@ jobs:
             echo "${SCRIPT}";
           } > "${RUNNER_TEMP}/exec_script"
           chmod +x "${RUNNER_TEMP}/exec_script"
-          python3 "${{ github.workspace }}/test-infra/.github/scripts/run_docker_with_env_secrets.py" "${{ inputs.secrets-env }}"
+          python3 "${{ github.workspace }}/test-infra/.github/scripts/run_with_env_secrets.py" "${{ inputs.secrets-env }}"
 
       - name: Run script outside container
         if: ${{ inputs.run-with-docker == false }}

diff --git a/.github/workflows/macos_job.yml b/.github/workflows/macos_job.yml
@@ -62,6 +62,10 @@ on:
         required: false
         default: ''
         type: string
+      secrets-env:
+        description: "List of secrets to be exported to environment variables"
+        type: string
+        default: ''
 
 jobs:
   job:
@@ -129,6 +133,8 @@ jobs:
         shell: bash -l {0}
         continue-on-error: ${{ inputs.continue-on-error }}
         working-directory: ${{ inputs.repository }}
+        env:
+          ALL_SECRETS: ${{ toJSON(secrets) }}
         run: |
           {
             echo "#!/usr/bin/env bash";
@@ -140,7 +146,7 @@ jobs:
           while read line; do
             eval "export ${line}"
           done < "${RUNNER_TEMP}/github_env_${GITHUB_RUN_ID}"
-          bash "${RUNNER_TEMP}/exec_script"
+          python3 "${{ github.workspace }}/test-infra/.github/scripts/run_with_env_secrets.py" "${{ inputs.secrets-env }}"
 
       - name: Surface failing tests
         if: always()

diff --git a/.github/workflows/test_linux_job.yml b/.github/workflows/test_linux_job.yml
@@ -6,7 +6,7 @@ on:
       - .github/workflows/linux_job.yml
       - .github/workflows/test_linux_job.yml
       - .github/actions/setup-linux/action.yml
-      - .github/scripts/run_docker_with_env_secrets.py
+      - .github/scripts/run_with_env_secrets.py
   workflow_dispatch:
 
 jobs:

diff --git a/.github/workflows/test_macos_job.yml b/.github/workflows/test_macos_job.yml
@@ -5,6 +5,7 @@ on:
     paths:
       - .github/workflows/macos_job.yml
       - .github/workflows/test_macos_job.yml
+      - .github/scripts/run_with_env_secrets.py
   workflow_dispatch:
 
 jobs:
@@ -87,3 +88,36 @@ jobs:
       download-artifact: my-cool-artifact
       script: |
         grep  "hello" "${RUNNER_ARTIFACT_DIR}/cool_beans"
+  test-secrets-no-filter-var:
+    uses: ./.github/workflows/macos_job.yml
+    secrets: inherit
+    strategy:
+      matrix:
+        include:
+          - runner: macos-m1-12
+          - runner: macos-13-xlarge
+      fail-fast: false
+    with:
+      job-name: "test-secrets-no-filter-var"
+      runner: ${{ matrix.runner }}
+      test-infra-repository: ${{ github.repository }}
+      test-infra-ref: ${{ github.ref }}
+      script: |
+        [[ "${SECRET_NOT_A_SECRET_USED_FOR_TESTING}" == "SECRET_VALUE" ]] || exit 1
+  test-secrets-filter-var:
+    uses: ./.github/workflows/macos_job.yml
+    secrets: inherit
+    strategy:
+      matrix:
+        include:
+          - runner: macos-m1-12
+          - runner: macos-13-xlarge
+      fail-fast: false
+    with:
+      job-name: "test-secrets-filter-var"
+      runner: ${{ matrix.runner }}
+      secrets-env: "NOT_A_SECRET_USED_FOR_TESTING"
+      test-infra-repository: ${{ github.repository }}
+      test-infra-ref: ${{ github.ref }}
+      script: |
+        [[ "${SECRET_NOT_A_SECRET_USED_FOR_TESTING}" == "SECRET_VALUE" ]] || exit 1
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -20,7 +20,7 @@ jobs:
   test-tools:
     name: Test tools
     if: ${{ github.repository == 'pytorch/test-infra' }}
-    uses: pytorch/test-infra/.github/workflows/linux_job.yml@main
+    uses: ./.github/workflows/linux_job.yml
     with:
       docker-image: python:3.11.0-slim-bullseye
       runner: linux.large